How Facebook and Apple helped bust the Man behind Kickass

KickassTorrents (KAT), a torrent website that has surpassed The Pirate Bay as the place to go for unofficial copies of movies and TV shows, appears to be in jeopardy.

Homeland Security has already asked that the seven KAT domains named in the complaint are forfeited for their role in facilitating piracy. Verisign is expected to seize the .com and .tv domains, while Mutual Legal Assistance Treaty (MLAT) requests will be sent to registrars in Costa Rica, Tonga and the Philippines. Homeland Security then expects those sites to be redirected to a server of its choosing.

There were 7 domain related to KAT has been busted by U.S government.

Right now, KickassTorrents appears to still be up, at least via the numerous proxy services that support it. However, it's probably only a matter of time until it becomes a lot harder to find. While investigators already had a lot of evidence before they added the iTunes transaction to the mix, the idea that a legal media purchase could be the undoing of a piracy king kinda breaks the irony meter.

How... the Federal U.S government bust the 30-year-old Ukrainian Artem Vaulin a.k.a "tirm," owner and operator of KickassTorrents (KAT), who
was arrested and charged in Poland for criminal copyright infringement
and money laundering.

Apple's involvement

Using basic website-tracking services, Der-Yeghiayan was able to uncover (via a reverse DNS search) the hosts of seven apparent KAT website domains: kickasstorrents.com, kat.cr, kickass.to, kat.ph, kastatic.com, thekat.tv and kickass.cr. This dug up two Chicago IP addresses, which were used as KAT name servers for more than four years. Agents were then able to legally gain a copy of the server's access logs (explaining why it was federal authorities in Chicago that eventually charged Vaulin with his alleged crimes).

Using similar tools, Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site. A WHOIS search can provide the name, address, email and phone number of a website registrant. In the case of kickasstorrents.biz, that was Artem Vaulin from Kharkiv, Ukraine.

Der-Yeghiayan was able to link the email address found in the WHOIS lookup to an Apple email address that Vaulin purportedly used to operate KAT. It's this Apple account that appears to tie all of pieces of Vaulin's alleged involvement together.

On July 31st 2015, records provided by Apple show that the me.com account was used to purchase something on iTunes. The logs show that the same IP address was used on the same day to access the KAT Facebook page. After KAT began accepting Bitcoin donations in 2012, $72,767 was moved into a Coinbase account in Vaulin's name. That Bitcoin wallet was registered with the same me.com email address.

Under Cover Ads Link to Facebook

From November 2015, an undercover IRS Special Agent spoke with a KAT representative about hosting an advertisement that would direct visitors to an undercover site. An agreement was made and the ad, which purportedly advertised a program to study in the United States, would be placed on individual torrent listings for $300 per day. When it finally went live on March 14th 2016, a link appeared underneath the torrent download buttons for five days. It was a short campaign, but it was enough to link KAT to a Latvian bank account, one that received €28 million ($31 million) in deposits -- mainly from advertising payments -- between August 2015 and March 2016.

This back-and-forth also enabled investigators to identify an important point of contact: the email address pr@kat.cr. Not only was it linked to website enquiries, it was the email associated with KAT's social media presences such as Facebook. Agents were able to obtain records from Facebook that showed the "official.KAT.fanclub." page was almost certainly associated with KAT.